What we should be doing

Changing passwords is security theater. It doesn't fix anything if hackers have access to your passwords, they have access to the new ones too.

What we should be doing: Specifics

In a comment below, I outlined a plan. I thought it should be in the post itself.

First, I think we need leadership. Then we need to have a surefire way to discover vulnerable servers. You have to figure the hacking community is working quickly to figure out how to do this, if they haven't already done so.

Then we have to enlist the help of users in discovering those servers.

A simple feature added quickly to all the major browsers that lights up when you're on a server that's not secure. And that event goes into a database, and that information is quickly shared with the owner of the system, when they can be located (some are not going to be easily located).

Then again, if we had some leadership we could just isolate those systems. Cut them off the net, so that they themselves can be damaged, but they can't be used themselves to cause damage. Again I'm sure we're falling behind the bad guys as we speak. Of course they aren't running press releases. That's probably the major reason the press isn't carrying any of the urgent messages that need to get out there.

A Kickstarter project, that was immediately funded to do this work would be a good sign. Then we have to get the Netcraft people involved, and Schneier, and maybe a few other organizations that are good at communicating with programmers -- O'Reilly, the developer programs at the big tech companies -- Google, Apple, Facebook, Amazon, Microsoft, Twitter, Oracle, IBM, Salesforce, etc. Stack Exchange, Hacker News, Slashdot.

The goal is to develop a communication system, quickly, to help locate and fix the vulnerable systems. And then brace for what comes next.

Last built: Wed, Jul 9, 2014 at 11:23 AM

By Dave Winer, Wednesday, April 16, 2014 at 10:20 AM. Ask not what the Internet can do for you...